Near half, 48 per cent of cyber breaches now involve ransomware, but payouts are shrinking. Even as ransom amounts decrease, businesses are frequently choosing not to pay, according to the 2026 Verizon Data Breach Investigations Report (DBIR).
The annual report suggests that higher click rates make mobile devices the new favourite target. While tech users have become better at spotting phishing emails, so attackers are moving. Whether itโs a fake text or a scam call, people are often more likely to fall for a mobile threat than a traditional email. Attack techniques are now being bolstered by generative AI.ย Threat actors are using AI to work faster at every stageโfrom spotting security gaps to writing malware.
And some 31 per cent of breaches now start with software vulnerabilities, beating stolen passwords as the top way attackers get in. Hackers are shifting their focus from tricking people to exploiting systems, the report suggests.
Comments
Anna Collard, SVP of Content Strategy and CISO Advisor at the anti=phishing platform KnowBe4, said: “Weโre seeing a convergence of AI acceleration, increasingly complex supply chains, and expanding attack surfaces creating a kind of โcapacity crisisโ for defenders. The statistic that 31 per cent of breaches now involve vulnerability exploitation, overtaking credential theft reflects how quickly attackers are operationalising known flaws, often faster than organisations can patch them. Companies who tested Mythos attested to the strength of new frontier models making vulnerabilities research and exploitation much faster and effective than human teams can keep up with. One of the people testing it literally said it can do in three weeks what ten pen [penetration] testers can do in one year.
“What also stands out is the growing dependency on third parties and interconnected platforms. Modern organisations no longer operate in isolation, and every supplier, SaaS platform, API, or AI-enabled workflow potentially extends the trust boundary. That makes cyber resilience not just a technical issue, but increasingly a governance, visibility, and ecosystem-trust challenge.”
For the first time in the report’s 19 year history, vulnerability exploitation has overtaken stolen credentials as the leading initial access vector, says Keeper Security’s CEO and co-founder, Darren Guccione. He says: “Itโs clear that AI is driving that change, compressing the time it takes for attackers to weaponise known flaws from months to hours. What that means for security leaders is that the detection and remediation window has not just narrowed โ in many organisations it has effectively closed before defences have a chance to act.
“Keeperโs recentย research makes this problem visible. Nearly three quarters of organisations reported they are not detecting credential misuse or unauthorised privileged access in real time. That detection gap is the interval in which attackers move laterally, escalate privileges and inflict harm that can take months to reverse.
“The DBIRโs findings on shadow AI are equally instructive. Frequent use of unapproved AI tools by employees has tripled to 45pc of the workforce in a single year, creating significant data leakage risk. Keeperโs research corroborates these findings: 56pc of organisations identified employees inadvertently opening themselves up to risk through AI use as their biggest AI security gap. Data leakage from employees’ use of AI tools was the third most cited concern in relation to AI-related cybersecurity risks at 35pc.
“Supply chain exposure and mobile social engineering round out a picture of an attack surface that is not only growing, but fragmenting in ways that traditional controls were not designed to address. The DBIR reports that breaches involving a third party now account for 48pc of all incidents, a substantial 60pc year-on-year increase. Keeperโs research shows that organisations recognise the problem with nearly a quarter identifying limited oversight of third party and vendor access as a gap in their cybersecurity. Recognition, however, is not remediation. The breach data suggest that this awareness is not translated into adequate controls at anything approaching the speed the threat requires.
“Viewed from a wider lens, DBIRโs findings point to the gap between attack sophistication and organisational defence capability continuing to widen. Zero-trust architecture, enforced least-privilege access, privileged access management and unified credential governance cannot be viewed as long-term investments in this environment.”
About the report
Verizon base their DBIR on law enforcement, forensic firms, law firms, cyber insurers, cybersecurity industry sharing groups, and its own Verizon Threat Research Advisory Center (VTRAC) caseload. Visit https://www.verizon.com/business/resources/reports/dbir/.
